What steps should enterprise WLAN administrators take to protect their networks from the new Wi-Fi Protected Setup (WPS) attack tools like Reaver and wpscrack now making headlines?
The good news for large enterprises is that very few enterprise-grade access points implement the vulnerable Wi-Fi Protected Setup (WPS) protocol which tools like Reaver and wpscrack try to exploit to gain unauthorized WLAN access. The bad news for SMBs and branch offices in large distributed enterprise networks is that up to one third of the 1500+ consumer-grade Wi-Fi router products now on the market could be vulnerable.
Do you have a question for our experts?
Submit your question directly to our editors at firstname.lastname@example.org
Wi-Fi Protected Setup protocol is a Wi-Fi Alliance protocol used to automate Pre-Shared Key (PSK) configuration in WLANs secured by WPA2-Personal (aka WPA2-PSK). Instead of typing a long PSK passphrase into a Wi-Fi router and client, WPS makes it easy to add a new client by pushing a button or typing a simple 4-digit PIN. The WPS protocol makes joining a secure WLAN less error-prone and can even be necessary when connecting a keyboard-less device such as a Wi-Fi enabled camera or display.
Two researchers recently reported a weakness in the WPS PIN method, which is exacerbated by how it’s often implemented. Proof-of-concept tools like Reaver and wpscrack exploit this to repeatedly try to guess a router’s WPS PIN. Some routers stop listening to WPS PIN tries after several failures – this slows the WPS attack, making it far less practical. But those that don’t could be attacked to find the right PIN in a few hours or days, thus letting the attacker enter the PIN on his or her own client to connect to the WLAN.
Read more of Lisa's wireless advice
Wireless bandwidth monitoring: Staying within data caps
Ad hoc network creation: Overcoming hotspot competition
Unauthorized network access: Neighbors pose a network security threat?
To protect your own WLAN from this WPS attack, find out if your Wi-Fi access points or routers support WPS by visiting http://certifications.wi-fi.org/search_products.php and using an Advanced Search. (Those who unwisely use products that aren’t Wi-Fi certified should still dig around vendor documentation or support to find something like WPS).
For most enterprises, this simple safety check will be all that’s required. But anyone using a WPS-capable access point or router should learn more about their product’s vulnerability to WPS attack and recommended countermeasures (usually disabling WPS). To learn more, see the US-CERT CVE at http://www.kb.cert.org/vuls/id/723755. Beware that many products beyond those cited in the CVE are vulnerable; a few have no known workaround.
Finally, DON’T let this WPS protocol vulnerability prompt you to disable WPA2 security or use a far more vulnerable option like WEP. WPA2-PSK, when used with a long, complex passphrase and no WPS, is still a solid best practice for home and SMB WLANs. If you want to be even safer, step up to WPA2-Enterprise (802.1X).
This was first published in February 2012